At the first of two Congressional hearings this week, Facebook CEO Mark Zuckerberg on Tuesday faced questions from Republicans and Democrats alike about whether the government should more closely regulate his firm and others.

The CEO faced tough questioning at the U.S. Senate hearing that focused, among other things, on Facebook's privacy scandal involving Cambridge Analytics' alleged misuse of the personal data of tens of millions of individuals to sway voters in the 2016 U.S. presidential election.

Sen. Richard Blumenthal, D-Conn. told Zuckerberg that he's not confident that Facebook could change its business model to protect data privacy "unless there are rules of the road, regulations enforced by an outside agency."

Zuckerberg told Blumenthal that he "generally agrees" that companies should be required to provide consumers with plain information about how a company will use data and about obtaining users' consent to share data.

Based on what's been revealed about the problems Facebook has had, "what should we tell our constituents ... that we should allow you to self-regulate your business practices?" Graham asked.

"The real question is, what is the right regulation?" Zuckerberg answered, adding that Facebook would be willing to work with legislators in "submitting some proposed regulations."

The Facebook CEO also said that there are areas where regulations could "make sense," for example by codifying into law a simple practice for explaining what a company is doing with individuals' data.

Regulations, he said, also could specify that individuals must have complete control over how their information is shared. Plus, he said, regulations could help "enable innovation" while balancing privacy and security. For example, he pointed out that Facebook asks users to give their special consent for the company's facial recognition technology to be applied.

Sen. John Kennedy, R-La., said during the hearing that "there are going to be a bunch of bills" introduced to try to regulate Facebook to give consumers more control over their data privacy. "I believe users already have that control over their data," Zuckerman replied.

Second Hearing Wednesday

In addition to his testimony on Tuesday before a joint hearing of the Senate Judiciary and Commerce committees, Zuckerberg on Wednesday will testify before the House Committee on Energy and Commerce, which released his opening comments on Monday (see Facebook's Zuckerberg Takes First Drubbing in D.C.).

Zuckerberg's written testimony largely sticks to Facebook's talking points since the Cambridge Analytica outrage erupted last month. Whistleblowing by a former data scientist at the voter-profiling firm has raised concerns over whether Facebook allowed too much access to its rich troves of personal data.

Russian Tampering

Regarding the Russian's tampering in the 2016 U.S. elections, Zuckerberg told the senators that Facebook's security team has been aware of Russian cyber threats - such as hacking and malware - for years.

Leading up to election day in November 2016, Facebook detected and dealt with several threats with ties to Russia, he said in his written testimony. This included activity by a group called APT28 that the U.S. government has linked to Russian military intelligence services.

"But while our primary focus was on traditional threats, we also saw some new behavior in the summer of 2016 when APT28-related accounts, under the banner of DC Leaks, created fake personas that were used to seed stolen information to journalists. We shut these accounts down for violating our policies," Zuckerberg testified.

Zuckerberg said Facebook also learned about a disinformation campaign run by the Internet Research Agency, a Russian agency that has repeatedly acted deceptively and tried to manipulate people in the U.S., Europe, and Russia. The company found about 470 accounts and pages linked to the agency, which generated about 80,000 Facebook posts over about a two-year period.

"Our best estimate is that approximately 126 million people may have been served content from a Facebook page associated with the IRA at some point during that period. On Instagram, where our data on reach is not as complete, we found about 120,000 pieces of content, and estimate that an additional 20 million people were likely served it," according to Zuckerberg's written statement. "Over the same period, the IRA also spent approximately $100,000 on more than 3,000 ads on Facebook and Instagram, which were seen by an estimated 11 million people in the U.S. Facebook shut down these IRA accounts in August 2017."

Last week, Facebook took down more than 270 additional pages and accounts operated by the Russian agency and used to target people in Russia and Russian speakers in countries including Azerbaijan, Uzbekistan and Ukraine, Zuckerberg testified. Some of the pages removed belong to Russian news organizations that Facebook determined were controlled by the agency, he said.

"There's no question that we should have spotted Russian interference earlier, and we're working hard to make sure it doesn't happen again," Zuckerberg said in his written testimony.

The Facebook CEO also noted at Tuesday's Senate hearing that the company has been working with special counsel Robert Mueller, who's investigating Russian interference in the election. "I'm not aware of any subpoenas but we are working with the special counsel," he told senators.

AI Tools

Facebook is building and implementing new technology to prevent data abuse, Zuckerberg said.

"Since 2016, we have improved our techniques to prevent nation-states from interfering in foreign elections, and we've built more advanced AI tools to remove fake accounts more generally," he said.

For the special election in Alabama to fill a vacant U.S. Senate seat, he said in his written statement, "we deployed new AI tools that proactively detected and removed fake accounts from Macedonia trying to spread misinformation."

The company's investments in security technology are also growing significantly, Zuckerberg said.

"We now have about 15,000 people working on security and content review. We'll have more than 20,000 by the end of this year," he said in written testimony. "I've directed our teams to invest so much in security - on top of the other investments we're making - that it will significantly impact our profitability going forward. But I want to be clear about what our priority is: protecting our community is more important than maximizing our profits."

Facebook is also working on improving vetting of the identity and location of advertisers that want to run political ads, Zuckerberg noted.

The company will hire "thousands of more people" for this effort, Zuckerberg said. "We're committed to getting this done in time for the critical months before the 2018 elections in the U.S. as well as elections in Mexico, Brazil, India, Pakistan and elsewhere in the next year."

Bug Bounty

Facebook on Tuesday also said it was launching a new "Data Abuse Bounty" to reward people who report any misuse of data by app developers.

"The Data Abuse Bounty, inspired by the existing bug bounty program that we use to uncover and address security issues, will help us identify violations of our policies," the company said.

"While there is no maximum, high impact bug reports have garnered as much as $40,000 for people who bring them to our attention," the company said.

Other Senate Hearing Highlights

Here's a summary of some other issues addressed at Tuesday's hearing:

Sen. Jeff Flake, R-Ariz., asked if Zuckerman believes that the governments of China or Russia have harvested detailed data sets off Facebook. "We have kicked off an investigation of every app that has access to a large amount of peoples' data before we locked down the platform in 2014," the Facebook CEO replied.

Zuckerman said he "wants to ensure no one interferes in mid-term 2018 elections" and that Facebook is deploying and using AI tools to address that.

Sen. Edward Markey, D-Mass., asked Zuckerberg whether he would support legislation to protect the privacy rights of minors under the age 16, which would require parental permission before the child's data can be reused. "I'm not sure if we need a law, but this is certainly a thing that deserves a lot of attention," Zuckerman said.

Zuckerberg told Sen. Maggie Hassan, D-N.H., that the company - short of changing its business model - already has financial incentive to protect consumer's privacy. "It's not our position that regulations are bad ... [But] I disagree that we have no financial incentive [to protect consumers' data]. This episode has hurt us and our social mission, and we need to do a lot in building trust back."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.